Method and apparatus for detecting malicious software through contextual convictions, generic signatures and machine learning techniques
First Claim
Patent Images
1. A computer implemented method for determining whether a software application is malicious, comprising:
- extracting a feature vector from said software application;
transmitting said feature vector from said software application to a server application;
receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said feature vector;
extracting metadata about the software application and gathering contextual information about a system on which the software application may be installed;
transmitting said metadata and contextual information to said server application, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system;
receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said metadata and contextual information;
computing a generic fingerprint for the software application;
transmitting said generic fingerprint to said server application; and
receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said generic fingerprint; and
performing an action with respect to the software application based on the information received from the server application and that was generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint.
6 Assignments
0 Petitions
Accused Products
Abstract
Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, methods, components, and systems that use important contextual information from a client system (such as recent history of events on that system), machine learning techniques, the automated deployment of generic signatures, and combinations thereof, to detect malicious software. The disclosed invention provides a significant improvement with regard to automation compared to previous approaches.
76 Citations
10 Claims
-
1. A computer implemented method for determining whether a software application is malicious, comprising:
-
extracting a feature vector from said software application; transmitting said feature vector from said software application to a server application; receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said feature vector; extracting metadata about the software application and gathering contextual information about a system on which the software application may be installed; transmitting said metadata and contextual information to said server application, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system; receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said metadata and contextual information; computing a generic fingerprint for the software application; transmitting said generic fingerprint to said server application; and receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said generic fingerprint; and performing an action with respect to the software application based on the information received from the server application and that was generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint.
-
-
2. A computer implemented method for determining whether a software application is malicious, comprising:
-
receiving at a server application information from a client application concerning; (i) a feature vector from said software application; (ii) metadata about the application and contextual information about a system on which the software application may be installed, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system; and (iii) a generic fingerprint for the software application; applying a machine-learning derived classification algorithm to the feature vector, if feature vector information is received from the client application; examining metadata concerning the software application and contextual information about the client system, if metadata and contextual information are received from the client system; determining whether the generic signature should be deemed malicious, if a generic signature for the software application is received from the client application; and making a determination as to whether the software application should be deemed malicious with regard to the client application; and transmitting to the client application information generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint and concerning the determination as to whether the software application should be deemed malicious. - View Dependent Claims (3, 4, 5)
-
-
6. Non-transitory computer readable storage medium containing instructions for making a determination concerning whether a software application is malicious, said instructions comprising instructions for:
-
extracting a feature vector from said software application; transmitting said feature vector to a server application; receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said feature vector; extracting metadata about the software application and gathering contextual information about a system on which the software application may be installed; transmitting said metadata and contextual information to the server application; receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said metadata and contextual information, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system; computing a generic fingerprint for the software application; transmitting said generic fingerprint to said server application; and receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said generic fingerprint; and performing an action with respect to the software application based on the information received from the server application and that was generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint.
-
-
7. Non-transitory computer readable storage medium containing instructions for making a determination concerning whether a software application is malicious, said instructions comprising instructions for:
-
receiving at a server application information from a client application concerning; (i) a feature vector from said software application; (ii) metadata about the software application and contextual information about a system on which the software application may be installed, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system; and (iii) a generic fingerprint for the software application; applying a machine-learning derived classification algorithm to the feature vector, if feature vector information is received from the client system; examining metadata concerning the software application and contextual information about the client system, if metadata and contextual information are received from the client system; determining whether the generic signature should be deemed malicious, if a generic signature for the software application is received from the client system; making a determination as to whether the software application should be deemed malicious with regard to the client application; and transmitting to the client application information generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint and concerning the determination as to whether the software application should be deemed malicious to. - View Dependent Claims (8, 9, 10)
-
Specification